By CSP, do you mean Content Security Policy? I have used
Tomcat's
httpHeaderSecurity to add protection against malicious requests.
You should be aware that Struts 1.2.7 has known vulnerabilities to cross site scripting (
among other known attacks) and I don't know that a filter at the server layer would protect against that.
If you are concerned about security (including XSS), the solution is to upgrade Struts or move to another framework.